|
||
SecureMyi.com Security and Systems Management Newsletter for the IBM i
May 13, 2015 - Vol 5, Issue 6
|
||
|
||
|
Feature Article
|
|
In This Issue
Quick Links
Our Newsletter Sponsors
Platinum Sponsor |
IBM i Security ResourcesIBM i Security Videos - SecureMyi RedBook - Security Guide IBM i Open Security Foundation - DataLoss DB National Vulnerability Database - NIST |
|
|
||
|
|
|
Security Shorts
By Dan Riehl - SecureMyi.com When assessing the security posture of an IBM i server, there are numerous critical focus areas. How are the users configured? How are the permissions assigned? What are the settings for security system values, etc.? In evaluating security for IBM i, we examine the Security System Values for settings that are outside the norm for a secure system. One prime system value to examine is QSECURITY. QSECURITY specifies the Security Level of the system, a numeric value ranging from 20 to 50, with 50 typically being the most secure, 20 typically being the least secure. (I say "typically" because the security level itself can't be used to determine how secure a system is, only that it can be more secure at a higher security level.) A security colleague told me about a recent assessment he performed in which the customer's QSECURITY system value was set to the highest value of 50. This was verified using the Display System Value (DSPSYSVAL) command. This setting indicated that someone at the company was certainly paying attention to the security of the system. But, when reviewing the Security setting that determines if Security Related System Values were correctly locked out from modification, the real truth came out.
The command Display Security Attributes (DSPSECA) can be used to examine the System Service Tools(SST) setting of whether Security System Values are protected from modification. It also shows additional security settings, including the QSECURITY level, as shown here: Display Security Attributes User ID number . . . . . . . . . . . . . . : 591 Group ID number . . . . . . . . . . . . . : 165 Security level . . . . . . . . . . . . . . : 30 Pending security level . . . . . . . . . : 50 Password level . . . . . . . . . . . . . . : 0 Allow change of security related system values . . . . . . . . . . . . . . . . . : *NO Allow add of digital certificates . . . . : *NO Allow service tools user ID with default and expired password to change its own password . . . . . . . . . . . . . . . . : *NO While the Service Tools setting of "Allow Change of Security Related System Values" was securely set as "*NO," my colleague also noticed that the system wasn't actually running Security Level 50. The DSPSECA display above shows the security level 50 as a "Pending security level" setting. The pending setting showed that the QSECURITY System Value had indeed been changed to level 50, but that the system was still running QSECURITY level 30 until an IPL (i.e., reboot) was performed. This was an IPL that was never going to happen. In preparation for the upcoming assessment, the customer had set the QSECURITY system value to 50, knowing that the higher security setting wouldn't actually go into effect until an IPL was performed. The customer sadly acknowledged that the pending setting was an attempt to make the system appear more secure that it actually was and that as soon as the assessment was completed, the system value would have be reset to the original security level 30 setting. Because security level 30 is known to have very serious flaws, the customer wanted to make the system appear to be running at the highest security level of 50. This ruse would have succeeded with a less competent auditor. If you are running at a Security Level less than 40, you really need to get the level up to at least level 40. For almost all systems I've seen, it's not a huge project to move from QSECURITY level 30 to 40. And the upgrade provides a mountain of additional protection for your system. |
Sponsored Links
IBM i, iSeries and AS/400
|
|
|
||
|
||
Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2015 - SecureMyi.com, all rights reserved SecureMyi.com | St Louis MO 63017 |